Public Power Cyber Incident Response Playbook

Acknowledgment: This material is based upon work supported by the Department of Energy under Award Number(s)

DE-OE0000811.

Disclaimer: This report was prepared as an account of work sponsored by an agency of the United States Government.

Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty,

express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any

information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights.

Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or

otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States

Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or

reflect those of the United States Government or any agency thereof.

The information in this Public Power Cyber Incident Response Playbook is provided strictly as reference material

only; it is not intended to be legal advice nor should it be considered as such.

Playbook Development

This Playbook was developed by Nexight Group with technical support from the American Public

Power Association and its members. We would like to acknowledge the following individuals who

provided their time, resources, and knowledge to the development of this Playbook:

Public Power Utilities

Bernie Acre, Bryan Texas Utilities

Matt Knight, Owensboro Municipal Utilities

Cheryl Anderson, Florida Municipal Electric Association

Melvyn Kwek, Guam Power Authority

Bill Berry, Owensboro Municipal Utilities

Matt Lee, Platte River Power Authority

Randy Black, Norwich Public Utilities

Ken Lewis, Salt River Power

David Boarman, Owensboro Municipal Utilities

Chris Lindell, Beatrice City Board of Public Works

Phil Clark, Grand River Dam Authority

Carter Manucy, Florida Municipal Power Agency

Jim Compton, Burbank Water and Power

Robby McCutcheon, Kerrville Public Utility Board

Josh Cox, City of Westerville

Rob Morse, Platte River Power Authority

Adrian de la Cruz, Kerrville Public Utility Board

Michelle Nall, Glendale Water & Power

Maggie Deely, American Municipal Power, Inc.

Erik Norland, Chelan Public Utility District

Colin Hansen, Kansas Municipal Utilities

Steve Schmitz, Omaha Public Power District

Jennifer Keesey, Northwest Public Power Association

Chad Schow, Franklin Public Utility District

Branndon Kelley, American Municipal Power, Inc.

Kenneth Simmons, Gainesville Regional Utilities

Mike Klaus, Central Nebraska Public Power & Irrigation Dist.

Scott Smith, Bryan Texas Utilities

Kurt Knettel, New Braunfels Utilities

Howard Wong, Glendale Water & Power

Association Staff

Association Partners

Jack Cashin, American Public Power Association

Kaitlin Brennan, Edison Electric Institute

Chris Ching, American Public Power Association

Jason Christopher, Axio Global

Meena Dayak, American Public Power Association

Chris Kelley, Beam Reach Consulting Group

Alex Hofmann, American Public Power Association

Lindsay Kishter, Nexight Group

Nathan Mitchell, American Public Power Association

Aaron Miller, MS-ISAC

Sam Rozenberg, American Public Power Association

John Meckley, Edison Electric Institute

Giacomo Wray, American Public Power Association

Mark Mraz, Beam Reach Consulting Group

Jason Pearlman, Nexight Group

Valecia Stocchetti, MS-ISAC

Paul Tiao, Hunton Andrews Kurth

The American Public Power Association is the voice of not-for-profit, community-owned utilities

that power 2,000 towns and cities nationwide. We represent public power before the federal

government to protect the interests of the more than 49 million people that public power utilities

serve, and the 93,000 people they employ. Our association advocates and advises on electricity

policy, technology, trends, training, and operations. Our members strengthen their communities

by providing superior service, engaging citizens, and instilling pride in community-owned power.

Table of Contents

1. Executive Summary.......................................................................................................................4

2. Getting Started: Building a Cyber Incident Response Plan and Procedures..........................6

3. Engaging Help: Activating the Response Team and Engaging

Industry and Government Resources.......................................................................................16

4. Digging Deeper: Technical Response Procedures for Detection,

Containment, Eradication, and Recovery.................................................................................25

5. Strategic Communication Procedures......................................................................................33

6. Cyber Incident Response Legal Procedures.............................................................................40

7. Sample Cyber Incident Scenarios..............................................................................................43

Appendix A: Incident Response Plan Outline...............................................................................48

Appendix B: Incident Handling Form Templates.........................................................................51

Appendix C: DOE Electric Emergency Incident Disturbance Report (OE-417)...........................56

Appendix D: Sample Cyber Mutual Assistance NDA....................................................................61

Appendix E: Resources and References........................................................................................65

1 EXECUTIVE SUMMARY

How to Use the Playbook

Overview of Playbook Guidance

The Playbook provides step-by-step guidance for small to

mid-sized public power utilities to help them prepare a

cyber incident response plan, prioritize their actions and

engage the right people during cyber incident response,

and coordinate messaging. The playbook serves three

key purposes:

This Playbook provides utilities with practical guidance

and critical considerations in preparing for a cyber

incident and developing a response plan that enables

staff to take swift, effective action. Cybersecurity

managers can use the playbook as a step-by-step guide to

prepare for an incident.

1. Provides guidance to help a utility develop its cyber

Identify your cyber incident response team.

incident response plan and outline the processes and

procedures for detecting, investigating, eradicating,

and recovering from a cyber incident.

2. Maps out the industry and government partners that

public power utilities can engage during a significant

cyber incident to share information, get support

for incident analysis and mitigation, and coordinate

messaging for incidents that require communication

with customers and the public.

3. Outlines the process for requesting cyber mutual aid

from utilities across the energy industry for a cyber

event that significantly disrupts utility business or

operational energy delivery systems and overwhelms

in-house cyber resources and expertise.

Clarify who the key players are, outline roles and

responsibilities, and clearly identify which individuals

have the authority to take critical response actions.

Document how to contact team members 24/7,

designate an alternate for key roles, and outline a battle

rhythm for how and when the team will convene and

deliver updates.

Identify contacts and response service

contracts for cybersecurity service providers

and equipment vendors.

Keep an updated list of vendor contacts and the support

they can provide if a vulnerability is identified in vendor

equipment. Identify a contact person for the Internet

Service Provider (ISP). If the utility has contracted with

third-party service providers for incident investigation,

forensic analysis, or other forms of incident response

support, identify the contact person, determine the

process for engaging their support, and identify the

person on the Cyber Incident Response Team (CIRT) who

is authorized to engage their services. Determine the

expected response timelines for each partner.

Understand the system and environment.

Document where system maps, logs, and inventories are

kept and maintained, along with the person who has the

credentials to access them. Document access credentials

and procedures for removing access or providing

temporary access to incident responders.

Outline your incident reporting requirements

and timelines.

Depending on the type or severity of a cyber incident,

utilities may be required to report the incident to

Public Power Cyber Incident Response Playbook | 4

EXECUTIVE

SUMMARY

1

2

3

regulatory agencies and local/state/federal officials, often

within the first 24 hours of an incident, and sometimes

as little as 6 hours. Determine your legal and contractual

obligations to report incidents to federal/state/local

officials, insurance providers, and other third parties.

Identify the response procedures the CIRT will

take to investigate, contain, eradicate, and

recover from a variety of different incidents.

Document procedures for investigation and

documentation, incident containment actions for various

types of attacks, and procedures for cleaning and

restoring systems. Identify and pre-position the resources

needed to preserve evidence, make digital images of

affected systems, and conduct a forensic analysis, either

internally or with the assistance of a third-party expert.

Identify the external response organizations¡ª

including law enforcement, information

sharing organizations, and cyber mutual

assistance groups¡ªthe utility might engage

during cyber incident response, particularly

for severe incidents that outpace utility

resources and expertise.

authority to engage these organizations and at what

point they should be notified.

4

Develop strategic communication procedures

for cyber incidents.

6

Identify the key internal and external communications

stakeholders, what information to communicate

and when, and what type of cyber incidents warrant

internal communication with employees and public

communication with customers and the media. Develop

key messages and notification templates in advance.

Define response procedures and

responsibilities of the utility¡¯s legal team

during cyber incident investigation and

response.

Cyber incident response should be planned, coordinated,

and executed under the guidance of the legal team.

The Playbook includes an outline for a cyber incident

response plan, a process for response planning, and

offers high-level procedures and templates that a

utility can use to develop its own response plan.

Identify key contacts within external response

organizations and build personal relationships

in advance of an incident. Determine how much

information to share and when. Document who has the

Public Power Cyber Incident Response Playbook | 5

5

7

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download